Posts

Cybersecurity Updates For Week 16 of 2022

CVE-2021-3970, CVE-2021-3971, CVE-2021-3972: Lenovo UEFI Firmware Vulnerabilities

Security company ESET discovered 3 new vulnerabilities in the UEFI firmware of Lenovo laptops which affected hundreds of Lenovo models including Lenovo Flex; IdeaPads; Legion; V14, V15, and V17 series; and Yoga laptops.

Read more:
https://securityonline.info/cve-2021-3970-lenovo-uefi-firmware-vulnerabilities/

Hackers Are Getting Caught Exploiting New Bugs More Than Ever

A pair of reports from Mandiant and Google found a spike in exploited zero-day vulnerabilities in 2021. The question is, why?

Read more:
https://www.wired.com/story/zero-day-exploits-vulnerabilities-google-mandiant/

Access Bypass, Data Overwrite Vulnerabilities Patched in Drupal

Drupal on Wednesday announced the release of security updates to resolve a couple vulnerabilities that could lead to access bypass and data overwrite.

Read More:
https://www.securityweek.com/access-bypass-data-overwrite-vulnerabilities-patched-drupal

Other news worth mentioning:

Amazon’s Hotpatch for Log4j Flaw Found Vulnerable to Privilege Escalation Bug
Critical Chipset Bugs Open Millions of Android Devices to Remote Spying
Denonia Malware Shows Evolving Cloud Threats
Oracle Releases 520 New Security Patches With April 2022 CPU
Emotet reestablishes itself at the top of the malware world

Cybersecurity Updates For Week 14 of 2022

Cado Discovers Denonia: The First Malware Specifically Targeting Lambda

Cado Labs routinely analyses cloud environments to look for the latest threats. As part of ongoing research, we found the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.

Read more:
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

VMware Patches Multiple Vulnerabilities in Workspace ONE, Identity and Lifecycle Manager and vRealize (VMSA-2022-0011)

VMware cautions organizations to patch or mitigate several serious vulnerabilities across multiple products.

Read more:
https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011

Microsoft’s New Autopatch Feature to Help Businesses Keep Their Systems Up-to-Date

Microsoft last week announced that it intends to make generally available a feature called Autopatch as part of Windows Enterprise E3 in July 2022.

Read More:
https://thehackernews.com/2022/04/microsofts-new-autopatch-feature-to.html

Other news worth mentioning:

Google Play Bitten by Sharkbot Info-stealer ‘AV Solution’
Adobe Creative Cloud Experience makes it easier to run malware
Linux Systems Are Becoming Bigger Targets
The US is trying to fix medical devices’ big cybersecurity problem

Cybersecurity Updates For Week 12 of 2022

Okta’s Investigation of the January 2022 Compromise

On March 22, 2022, nearly 24 hours ago, a number of screenshots were published online that were taken from a computer used by one of Okta’s third-party customer support engineers.

Read more:
https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/

Microsoft confirms Lapsus$ breach after hackers publish Bing, Cortana source code

Microsoft has confirmed that it was breached by the Lapsus$ hacking group.

Read more:
https://techcrunch.com/2022/03/23/microsoft-lapsus-hack-source-code/

North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT, and Media Firms

Google’s Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser.

Read More:
https://thehackernews.com/2022/03/north-korean-hackers-exploited-chrome.html

Other news worth mentioning:

7 Suspected Members of LAPSUS$ Hacker Gang, Aged 16 to 21, Arrested in U.K.
FBI: Cybercrime Victims Suffered Losses of Over $6.9B in 2021
Feds Allege Destructive Russian Hackers Targeted US Refineries
Western Digital My Cloud OS update fixes critical vulnerability

Local privilege escalation vulnerability in Linux

Published: 2021-06-11
CVE-2021-3560

“A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.” The error is not handled correctly and the request is granted access.

As this vulnerability is very easy to exploit patching should be done as soon as possible.

Internally this is being tracked in BF-VLN-2292713 with the highest priority.

CVE-2021-3156 | Heap-Based Buffer Overflow in Sudo

Published: 2021-01-26
MITRE CVE-2021-3156

“The Qualys Research Team has discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.”

This is especially bad for multi-user environments where some users have login access, but should not have root access.

Through a responsible and coordinated vulnerability disclosure from Qualys’ part there should be updated version available for most affected systems. This vulnerability will probably affect most systems that make use of the sudo command.

CVSS Base Score is 7, but during our evaluation we did not agree that there are no privileges required. With the vector set to “Privileges Required” as “Low”, instead of “None” the CVSS score is 6.7. We consider this our environmental CVSS score for this vulnerability.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2208165 with an increased priority and have a goal of having all systems patched within 30 days.

CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability

Published: 2020-10-13
MITRE CVE-2020-16898

“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.”

This vulnerability affects Windows 10, Server 2019 and Server Core versions (see full Security Advisory for proper details). It can be mitigated by disabling a network feature or blocking ICMPv6 Router Advertisement packets.

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave a workaround in place.

CVSS Base score is 9.8

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2139859 with the highest priority.

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Published: 2020-07-29
MITRE CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.

There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices.

If the guidelines from the KB article “How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472” are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021. If there are currently no non-compliant devices in your environment, you can move to enforcement mode for further protection in advance of required enforcement.

The Base CVSS score for this vulnerability is 10 (out of 10 possible).
The Temporal CVSS score (at 2020-08-19) is 9.

There is no known exploitation of this in the wild, and the details about the vulnerability is not publicly disclosed. Meaning there should be some time still before this is a major issue. And if it becomes exploited in the wild, Basefarm always recommends that domain controllers are not reachable on the public internet.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. Our goal is to have this mitigated on all servers within 1 week. We are tracking this internally as BF-VLN-2102348 with the highest priority.

CVE-2020-10713 – GRUB 2 boot loader buffer overflow – aka BootHole

Published: 2020-07-29
MITRE CVE-2020-10713

GRUB 2 is a “boot loader”, it precedes the actual operating system and allows for multiple options in what operating system to load and with what parameters given. An attacker with administrative privileges on a system, or physical access, can use this vulnerability to bypass the check of cryptographic signatures and run arbitrary code. GRUB 2 is the default boot loader for most popular GNU/Linux distributions, but it is independent of any OS so this vulnerability can also be exploited against Windows systems.

Some might say that game is over anyway if an attacker has administrative privileges or physical access, but this attack method provides a way for an attacker to establish persistence on a system perhaps invisible for an OS and its endpoint security platform.

RedHat reports “In CVE-2020-10713, an attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB.”

And for remediation “Red Hat recommends all customers to update their grub2 packages. Red Hat customers using Secure Boot need to update kernel, fwupdate, fwupd, shim and dbxtool packages containing newly validated keys and certificates. Users running Secure Boot with Red Hat Enterprise Linux 8 need to take additional steps to boot into previously released RHEL 8 kernels after applying the grub2 package updates.”

This vulnerability has a CVSS Base score of 8.2 with the CVSS vectors CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Basefarm is currently evaluating this vulnerability and its consequences for the continued secure operations of our customers and our own systems. Internally this is tracked in BF-VLN-2089662. At this early point we refer to the individual vendors for more information:

Microsoft ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Red Hat Boot Hole Vulnerability – GRUB 2 boot loader – CVE-2020-10713

This vulnerability was discovered and responsibly disclosed by Eclypsium, see their in depth technical writeup “There’s a Hole in the Boot”

Update 2020-07-31: There are some reports about the RHEL grub2 security update rendering systems unbootable. Patching for vulnerabilities IS important, but doing so in a responsible manner is also a priority.

CVE-2020-1350 – SIGRed Windows DNS Server Remote Code Execution Vulnerability

Published: 2020-07-14
MITRE CVE-2020-1350

“A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.”

The tricky part about this is that a lot of systems normally closed of from direct access to the internet has an indirect access to the internet via the forwarding capabilities built in to DNS. If you are able to resolve regular domains like “basefarm.com”, “microsoft.com” and “google.com”, and you are asking your Windows Domain Controller, that Domain Controller is vulnerable.

The recommended cause of action is to upgrade as soon as possible. This requires a reboot. There exists a workaround, if a reboot is not something you can do right now. This is a registry edit and only requires a restart of the DNS Service. We refer to official documentation for information about this workaround.

In our experience, and based on information currently available, we expect to see working exploits in the wild within a week, and see it likely that there will be widespread active attacks within 2 weeks.

Basefarm is tracking this vulnerability internally as BF-VLN-2084547, with the highest priority. All internal Basefarm servers vulnerable is scheduled to receive patches within 2020-07-15 18:00. We are currently chasing customer-specific servers and organizing emergency patching.

Update 2020-07-17 21:00 – All change-tickets for customer-specific servers have attention. 4% of the tickets is still in implementation status, 96% is either in Post-implementation Review status or Closed status. We continue to monitor intelligence sources for signs of active exploitation and will ensure priority for the remaining 4% of customers.

Update 2020-07-21 – All servers are patched or have implemented workarounds for this vulnerability.

Official Microsoft Security Advisory

CVE-2020-5902 F5 Big-IP – K52145254: TMUI RCE vulnerability

Published: 2020-07-01
MITRE CVE-2020-5902

“The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.”

“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.”

CVSS Base score: 10 of 10

Basefarm is tracking the internal work with the vulnerability as BF-VLN-2077661. We have gone through the CVSS-calculator and made an Environmental score for our own prioritization as Basefarm does not expose the vulnerable TMUI, management port and/or Self IP to public traffic. We do not recommend anyone exposes the TMUI, management port and/or Self IP to the public internet, this should be on a management VLAN only reachable after authentication with multi-factor authentication. The reason for this is exactly the risks of vulnerabilities like this.

The recommended way to fix this is to upgrade to a newer version, but there also exists a temporary workaround. We refer to the BigIP knowledge-base article for details about this.